I'm using Facebook as an option for logging into my website, and then am doing Graph API requests on behalf of them. I'm upgrading to both the new JavaScript SDK and the PHP SDK to use their latest oAuth stuff before the October 1 deadline.

The PHP SDK now comes with an abstract BaseFacebook and they have an example Facebook class implementation that relies on PHP $_SESSIONs. I run a pretty large multi-server website, which makes using $_SESSIONs tricky -- can't use the default file-based sessions, and database-backed sessions often are no good for performance reasons. Not sure I want them in Memcached either as users shouldn't get logged out if it's cleared, etc.

The concrete class only needs you to persist these 4 fields for each visitor: state, code, access_token, user_id. It seems like not all of these really need to be pure $_SESSION based. I'm trying to determine what really needs to go where...

For example, the state data seems like it can be stored in a client-side cookie as it's only 1-time use for CSRF prevention.

Does the auth code really need persisting or is it only used once?

Can the user_id and access_token be stored in my users MySQL database? If so, how do I identify who a Facebook-authed user is to login them in, using the fbsr_ cookie?

I'm happy to store some stuff in the database as long as it's clear that it's only be accessed when necessary (not on every page request for logged out users).

Basically: Is it feasible to authenticate FB users without using $_SESSIONs? Where by "sessions", I mean some PHP-set cookie for all visitors (logged in or not) that links them with server-side data.

You are correct about state and code, they are for one-time use during initial authentication and do not need to be persisted to other pages.

Userid can be stored in the database, and often is done so as a permanent entry. Access_token can be stored in the database, but of course it is not a permanent value and will have to be refreshed often. But it can be a way to avoid using sessions or cookies as long as you have some other way to identify the user so you can pull the token from the db.

I have never been crazy about the idea of using PHP sessions for Facebook apps anyway, for reasons of cookie (un)reliability. You might want to take a look at http://www.braintilt.com/fbcookies.php for some ideas about avoiding the dependence on sessions that most Facebook examples are filled with. Of course if you're not adverse to cookies you can set your own and just use that to propogate the user identifier, rather that the GET/POST methods outlined there.

Based on what i know, the code need not be stored, as it is used only once, during auth.
You might want to store the access_token as it'll help you to call the graph api for user information, if you require, but you have to keep in mind that it is valid only for 2 hours or so. After that you will have to re-auth using getLoginUrl().
The user_id can obviously be stored, it's the Facebook user_id and it wont change. However to get the user_id, you need to parse the signed_request that facebook sends. Or you can directly call getUser() .
When getUser() returns null, you know that the user is not authenticated by facebook, and then you can redirect the user to the url returned from getLoginUrl() to get your user authenticated by facebook. After authentication, you will be getting the user_id by calling getUser().
So you know that a user is Facebook authed if getUser() returns a user_id.
Facebook has really improved the PHP SDK documentation, it wont take that much time for you to go through it.
So finally, you can store all of these in sessions, however, you'd be better off storing user_id in your db. I would suggest, that you use sessions to store the access_token, and also always call getUser() to know the status of the visitor.
Hope you got what u were looking for..
edit: you have posted the same question twice!!!

The Facebook PHP SDK (beginning with v3.0) is split into two main parts, The Facebook class used to interact with the Facebook API and the abstract class BaseFacebook. The Facebook class extends this abstract class. The BaseFacebook abstract class implements the core oAuth API for Facebook, providing all of the public facing functions used when instantiating a new Facebook object.

The session handling related functions are abstract functions that are implemented in the Facebook class. There are four functions that must be implemented:

These classes are used to get, set, and clear any persistent data used by the session. In the default Facebook class these use the PHP $_SESSION variable to store this data. By implementing these functions in your own class that extends BaseFacebook it is possible to change to any type of session handling you desire.

There are four keys used by BaseFacebook that are stored in the persisted data: 'state', 'code', 'access_token', and 'user_id'.

The 'state' is used to determine the current state in the authentication of the oAuth request. It is not used after a 'code' is retrieved.

The 'code' is used to retrieve an 'access_token' from Facebook. It is not used after an 'access_token' is retrieved.

The 'access_token' is used in subsequent request to the Facebook oAuth API. I believe it is only good for about 2 hours.

The 'user_id' is the user's Facebook ID. This value is unique to that users and persistent. It can be saved indefinitely.

This information is still valid in the current version of the SDK (as of this writing v3.2.2).